Economic Sector

Last updated: Wednesday, December 19, 2018

Ransom and Extortion Motivated Attacks

Posted: Tuesday, October 10, 2017

In a digital climate in which avoiding downtime is a competitive advantage, ransom-motivated attacks can be a nightmare for network security teams. Ransomware is malicious software designed to infect a vulnerable computer system and encrypt its files so that an attacker can demand a sum of money to unlock them.

There are two main types of cyber-attacks companies face today that involve ransom and extortion:

Ransom attack: Attackers encrypt the files on an organization’s network with ransomware, effectively holding the data hostage and refusing to unlock the files unless a ransom fee is paid.

DDoS extortion attack: Attackers threaten an organization with a DDoS attack unless a fee is paid. DDoS extortion has been a problem for security teams for many years, and it remains a primary motivator for DDoS attacks.

Two recent global ransomware attacks, WannaCry and NotPetya, have increased public visibility into the devastating effects that ransomware can have on an organization’s critical assets. The WannaCry ransomware attack affected more than 300,000 computers in more than 150 countries. The NotPetya ransomware attack was more destructive. It spread faster than the WannaCry ransomware and caused “permanent and irreversible damage” to a computer’s hard drive. One report shows that in 2016 almost half of United States-based companies experienced a ransomware incident.

The ransomware payment cost could be significant. In one case, a South Korean web hosting company paid a ransomware demand that was over $1 million, the largest ransomware payment to date, to gain access to its servers;

Making a ransom payment does not guarantee that the attacker will provide a decryption key; and

Paying the ransomware demand could increase a company’s chances of being attacked again in the future.

Organizations within industries where 24/7 availability is expected as the standard (such as the financial industry) are more susceptible to extortion and ransomware attacks. In 2016, financial companies were threatened with DDoS attacks unless a payment was made by a specified date and time. The attackers also threatened to infect the companies’ networks with ransomware if payment was not made.

DDoS attacks and ransomware attacks are damaging enough when used separately to cripple an organization’s network. However, cybercriminals are becoming more sophisticated and are combining DDoS attacks and ransomware for greater impact. In one published attack, there was a ransomware variant that held the organization’s machine and data hostage until the ransom was paid. While the attackers waited for the ransom payment, they used the organization’s machines as botnets to launch DDoS attacks on another unsuspecting victim.

The Role of DNS in Defending Against Ransomware Attacks Domain Name System (DNS) controls can play an important role in helping to identify and protect users from malware and ransomware attacks. When DNS resolvers utilize security risk information feeds, such information can be leveraged to set up filters to proactively analyze and identify Command and Control connection mechanisms. Such filters can help to stop the encryption process leveraged by many ransomware strains. For more information, download our e-book, Using DNS to Combat Ransomware.